Top Spoofed Brands in Used Quishing Attacks

Cybercriminals increasingly target well-known brands to exploit the trust users place in them. In the first quarter of 2024, Microsoft accounted for 38% of all brand phishing attempts, making it the most spoofed brand, with Google following at 11%.

Quishing attacks take this further by embedding malicious QR codes into phishing campaigns, redirecting users to fraudulent websites, or prompting them to download malware. As a result, businesses face severe consequences, including financial losses, reputation damage, and operational disruptions.

In this blog, we’ll explore the most spoofed brands targeted in quishing attacks, what quishing is, how it works, its impact, and how Keepnet’s Quishing Simulation and Awareness training helps protect against these sophisticated threats.

What Are Quishing Attacks?

Quishing is a phishing tactic that uses malicious QR codes to deceive users. These codes, often embedded in emails, posters, or digital platforms, redirect victims to fraudulent websites or initiate malware downloads.

What makes quishing especially dangerous is its frequent use of brand spoofing. Attackers impersonate trusted brands, leveraging their credibility to lower suspicion and increase the likelihood of success. For example, a fake QR code might mimic a login page for a well-known service like Microsoft or Google, tricking users into providing sensitive information.

By exploiting the trust in QR codes for payments and logins, combined with brand recognition, quishing attacks bypass traditional security filters and rely heavily on human error. This highlights the critical need for security awareness training and robust defenses.

To learn more about what is quishing and how it deceives people, check out our blog.

Watch Keepnet’s video featuring the real story of a QR code attack in action.

How Quishing Works

Quishing particularly effective because QR codes are often trusted by users. Understanding how quishing works is important to identifying and preventing this growing threat.

Here’s how it works:

Fake QR Codes

Attackers design QR codes mimicking trusted brands and place them in phishing emails or promotional materials. See the example below to check how QR codes disguise like a real brand:

2. Scanning Deception

Victims scan the codes, believing they are legitimate. See the example video below to learn how they make people believe they are legitimate.

3. Phishing or Malware

The codes redirect users to fake websites to steal credentials or trigger malware downloads. ​​One unique use case of quishing involves targeting employees of a financial institution through cleverly placed QR codes in parking lots near their offices.

Attackers might print these codes on stickers that mimic promotional offers for nearby cafes or parking discounts. For instance, a QR code might claim to redirect to a "secure payment portal" to receive a 50% parking fee reduction. Once scanned, the QR code directs the victim to a fake corporate login page disguised as their organization's secure VPN portal.

Employees, believing the site to be legitimate, enter their credentials, giving attackers access to the institution's internal systems. Alternatively, the QR code could trigger the download of a malware-laden app, compromising the device and potentially the network it connects to. This method leverages convenience and time-sensitive incentives to bypass users' usual caution, making it highly effective against even security-conscious individuals.

The Growing Threat of Quishing Attacks

A recent study found that 63% of participants struggled distinguishing between legitimate and malicious QR codes, underscoring the need for enhanced security awareness. Adding to this challenge, Keepnet revealed that 50% of phishing emails now include attachments such as PDFs or QR codes, which are more difficult to detect and bypass traditional security filters.

Below are some critical statistics that highlight the scale of this growing issue of quishing in 2025:

1. Surge in Incidents: Over 8,878 QR code phishing attacks were detected from June to August 2023, with June reporting 5,063 cases.
2. Low Detection Rates: Only 36% of attacks were identified and reported, exposing gaps in awareness.
3. Targeted Industries: The energy sector is most affected (29%), followed by manufacturing, insurance, tech, and financial services.
4. Growing Use of QR Codes: 26% of malicious links embedded in QR codes; QR-based phishing attacks increased by 587% in 2023.
5. Rising Payment Risks: QR code payments are projected to surpass $3 trillion by 2025, increasing fraud opportunities.
6. Executives Targeted: Executives faced 42 times more QR code phishing attacks than average employees in 2023.

Check out our blog on Quishing Statistics if you want to see more detailed trends and learn how vishing has evolved.

Why Big Brands Are Prime Targets in Quishing Attacks

Cybercriminals increasingly focus on spoofing popular brands in quishing attacks due to the trust and familiarity these companies command. This strategy exploits both psychological and technical vulnerabilities to achieve higher success rates.

1. Broad User Base = More Victims

Global brands like Amazon, Microsoft, and Google serve millions of users, making them a lucrative target. A single quishing campaign spoofing such brands can potentially deceive thousands, amplifying the attacker’s reach and impact.

2. Trust in Familiarity

Users inherently trust well-known brands, making them less likely to scrutinize QR codes or communications that appear to originate from these companies. Cybercriminals exploit this trust to bypass skepticism and lure users into scanning malicious QR codes.

Example Case

According to The Sun US, in 2024, a woman in Singapore fell victim to a quishing attack after scanning a QR code advertising free bubble tea. The malicious code directed her to download a fraudulent app, allowing attackers to steal $20,000 from her bank account. This case highlights how brand spoofing in quishing campaigns effectively lowers users' defenses.

By leveraging trusted brands, quishing attackers significantly increase their success rates, making awareness training and proactive measures critical to mitigate these risks.

Top 5 Spoofed Brands Used in Quishing Attacks

Quishing attacks, which use malicious QR codes to deceive users, frequently exploit trusted brands to increase their success rates. A recent study in cybersecurity identified the following as the most impersonated brands in QR code phishing campaigns:

1. Microsoft Spoofed in 51% of Quishing Attacks

A recent study revealed that 51% of all QR code phishing attacks spoof Microsoft, making it the most frequently impersonated brand in quishing campaigns. Attackers take advantage of Microsoft’s vast user base and trusted reputation to carry out these attacks successfully.

Targeted Services:

Phishing campaigns typically target Office 365 and OneDrive, as these services hold sensitive business data and are essential for collaboration and productivity.

Attack Example:

Phishing emails disguised as official Microsoft notifications often include fake QR codes to deceive users. Here’s how a common attack works:

1. The Bait: The victim receives an email with a subject like “Action Required: Your Microsoft Account Session Expired.” The email instructs them to scan a QR code to re-login.
2. The Deception: Scanning the QR code redirects the victim to a counterfeit Microsoft login page designed to look legitimate.
3. The Trap: The victim enters their login credentials, which are then stolen by the attackers.

This tactic effectively combines urgency and trust to manipulate victims into providing sensitive information.

Impact:

Stolen credentials can give attackers access to emails, files, and sensitive business data stored in Office 365 or OneDrive. This can lead to data breaches, financial losses, and reputational harm for organizations.

2. DocuSign Spoofed in 31% of Quishing Attacks

A recent study found that 31% of all QR code phishing attacks impersonate DocuSign, making it the second most spoofed brand in quishing campaigns. Attackers target DocuSign’s reputation as a trusted digital signature platform to deceive users into sharing sensitive information.

Targeted Services:

Phishing campaigns focus on DocuSign’s digital document signing and approval services, which are widely used for business transactions and legal processes.

Attack Example:

Phishing emails posing as DocuSign notifications often include malicious QR codes to exploit user trust. Here’s how a typical attack works:

1. The Bait: The victim receives an email titled “Urgent: Sign Your Document” or “Action Needed: Pending Approval.” The email contains a QR code, claiming it will take them directly to the document.
2. The Deception: Scanning the QR code redirects the victim to a fraudulent DocuSign login page that looks authentic.
3. The Trap: The victim enters their credentials or other sensitive information, which attackers then harvest for unauthorized access or further attacks.

Impact:

Successful attacks allow cybercriminals to access sensitive documents, steal login credentials, and potentially compromise financial or legal data, leading to significant business risks.

3. Adobe Spoofed in 15% of Quishing Attacks

Adobe ranks third among the most spoofed brands in quishing attacks, with 15% of all QR code phishing campaigns impersonating the company. Cybercriminals exploit Adobe’s global reputation as a trusted provider of creative tools and PDF solutions to deceive users.

Targeted Services:

Attackers primarily target Adobe’s Creative Cloud and PDF services, which are widely used for document management and creative work.

Attack Example:

Emails pretending to be from Adobe frequently include malicious QR codes. Here’s how these attacks work:

1. The Bait: Victims receive an email with a subject like “Subscription Expiration” or “Account Locked – Verify Now.” The email contains a QR code, urging users to scan it to renew their subscription or regain access.
2. The Deception: Scanning the QR code redirects victims to a fraudulent Adobe login or payment page that looks authentic.
3. The Trap: Victims enter their credentials or payment information, which are stolen by attackers for unauthorized use or financial theft.

Impact:

These attacks can lead to stolen accounts, unauthorized access to Adobe services, and theft of sensitive payment information, causing both financial losses and reputational damage.

The Business Impact of Quishing Attacks

Quishing attacks, which use malicious QR codes, have serious implications for businesses, leading to financial losses, reputational harm, and operational disruptions.

1. Financial Losses

According to Keepnet research, a real-life quishing attack left a victim with £13,000 in debts, including a fraudulent loan of £7,500 taken out by scammers. This case highlights the severe financial toll quishing can take on both individuals and businesses.

2. Reputational Damage

Keepnet research revealed a dramatic rise in QR code phishing emails between June and August 2023, with 8,878 incidents detected. June marked the peak of this surge, with 5,063 cases reported. These figures indicate a significant shift in cybercriminal tactics, putting trusted brands at risk of impersonation and damaging their reputations. The erosion of trust caused by such incidents can result in customer attrition and long-term harm to brand value.

3. Operational Disruptions

Quishing attacks impose substantial operational costs, including those for incident response, IT recovery, and security enhancements. Keepnet research highlights that only 36% of quishing attacks are detected and reported, leaving businesses vulnerable to repeated breaches. These operational challenges further emphasize the necessity for proactive measures to safeguard against evolving threats.

How Keepnet Mitigates Quishing Risks

Quishing attacks often exploit trusted brands through spoofing to deceive users, making them highly effective and dangerous. Keepnet Human Risk Management Platform offers a robust, multi-layered approach to mitigate these threats by focusing on education, realistic simulations, proactive defense, and tailored reporting.

1. Behavior-Based Security Awareness Training

Keepnet’s Security Awareness Training focuses on empowering employees to identify and avoid malicious QR codes impersonating trusted brands:

• Behavior-Based Learning Paths: Training is personalized to individual behaviors and job roles, helping employees spot brand spoofing.

• Retention Tools: Posters, screensavers, and infographics reinforce key practices for identifying fake QR codes mimicking popular brands.
• Comprehensive Marketplace: Offers over 2,100 training materials in 36+ languages, ensuring global reach and effectiveness.

Watch the video below to learn more details about Keepnet Security Awareness Training.

Keepnet’s behavior-driven learning paths ensure employees receive tailored training based on their risk profiles. This personalized approach increases retention and equips teams to combat quishing attempts effectively.

To learn more about the Security Behavior and Culture Program that Keepnet leverages, read our blog post.

2. Realistic Quishing Simulations

Keepnet’s Quishing Simulator replicates real-world spoofing scenarios to test employees’ ability to identify fake QR codes.

• Spoofing Simulation: Tests employee readiness by simulating QR codes that impersonate brands like Microsoft or Amazon.
• Performance Insights: Tracks how users respond to spoofing attempts, providing actionable insights to enhance training.

Watch the video below to learn more details about Keepnet Quishing Simulator.

Learn more how you can launch a simulated QR phishing attack to check your employees on our guide.

3. AI-Powered Human Risk Management Solution

Keepnet Human Risk Management Platform leverages advanced AI technology to enhance defenses against quishing attacks that rely on brand spoofing. By using AI-driven tools, organizations can better simulate and combat these sophisticated threats.

• Security Awareness Program Manager: AI enables the creation of tailored security awareness training plans. These plans are customized based on roles, risks, and specific phishing scenarios, such as quishing campaigns targeting trusted brands.
• Phishing Scenarios Creation: AI generates realistic phishing and quishing templates, mimicking trusted brands with high accuracy. These include email and QR code simulations, as well as advanced scenarios like voice-based deepfake phishing, ensuring employees are prepared for emerging threats.
• Real-Time Deepfake Test and Training: Keepnet provides real-time simulations of deepfake attacks, such as simulated CEO voice phishing calls. After testing, targeted training addresses gaps identified during the simulation.

Keepnet leverages AI to create highly accurate, brand-specific quishing simulations, ensuring employees are trained to recognize even the most convincing phishing attempts. This AI-powered adaptability ensures your organization stays ahead of evolving threats.

4. Localization for Effective Learning

Spoofing attacks frequently target global organizations, exploiting diverse employee bases. Keepnet ensures that training is tailored to meet the unique needs of employees worldwide, improving engagement and effectiveness.

• Time Zone-Specific Training:

Keepnet allows organizations to schedule training sessions based on employees' local time zones. This ensures that training emails and sessions are delivered at optimal times, maximizing participation and engagement.

• Multi-Language Support:

With training materials available in 36+ languages, employees can access content in their preferred language. This makes it easier for global teams to understand and respond to spoofing tactics effectively.

• Multi-Organization Training Delivery:

Keepnet streamlines the process for businesses with multiple subsidiaries or partners. Training can be delivered to employees across multiple organizations simultaneously, saving time, reducing stress, and cutting costs.

By addressing global needs through time zone alignment, multilingual support, and multi-organization capabilities, Keepnet helps businesses build strong defenses against spoofing, regardless of geographical diversity.

Learn more about the benefits of localization in security awareness training on our blog post.

5. Advanced Reporting and Analytics

• Executive Reporting: Provides insights into employee vulnerability to spoofing, including brand-targeted phishing data.
• Custom Q&A Reports: Generates department-specific or organization-wide analysis on employee performance in simulations.
• Behavioral Metrics: Tracks training progress to identify high-risk users and teams targeted by spoofing attempts.

Keepnet’s Reporting Suite not only tracks employee performance in quishing simulations but also provides brand-specific insights, helping organizations identify which spoofed brands pose the highest risks.

To dive deeper into reporting, read our guide on executive reports and advanced reports.

6. Proactive Threat Intelligence and Incident Response

Keepnet’s Threat Intelligence monitors the signs of compromised accounts related to your employees, allowing businesses to detect threats early and act before damage occurs.

Watch the video below to learn more details about Keepnet Threat Intelligence.

Responding to email threats quickly is important. While manual responses take an average of 9 hours, Keepnet’s automated Incident Responder identifies and neutralizes threats in minutes.

• Email and URL Analysis: Evaluate suspicious emails, URLs, IPs, and files using advanced detection tools.
• Immediate Action: Removes or quarantines malicious emails directly from inboxes.
• Integrated Technology: Works with multiple detection engines, even if your organization lacks certain tools.

Watch the video below to learn more details about Keepnet Incident Responder.

With Threat Intelligence and Incident Responder, Keepnet helps businesses minimize risks and respond to threats faster than ever.

Keepnet’s Incident Responder neutralizes threats in minutes by identifying and quarantining emails containing malicious QR codes, drastically reducing exposure time and risk.